Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA w WCCP redirecting to Squid on CentOS- TCP re-transmissions

Unanswered Question
Mar 21st, 2014
User Badges:


Hello all... hoping somebody can help me here. Having a bear of a time getting WCCP redirection working for http clients using squid on CentOs as a proxy and a ASA as my firewall device. I've followed 10 or so articles to no avail. This one here seems concise enough and I followed it verbatim. Except for the iptables -t nat -A POSTROUTING -j MASQUERADE Line at the end...did not see that anywhere else and read it can cause issues with firewalls.



I have connectivity throughout the network. Squid is working and works fine if I point my browsers to it, clients can get out.... But just can't get the transparent redirect\intercept to work w WCCP.

I've attached a screen shot of a wire shark capture at the etho of the squid box. When requesting a website from a windows client (novell.com for example) I get a tcp packet from the ASA to the Proxy as it should, with the WCCP\GRE packet with the web request inside. After that it's a tcp out of order packet followed by a slew of TCP retransmits from the requesting client to the web site – with every other packet having the WCCP\GRE header.

I could certainly post my pertinent configs but I think they are solid as per the above article and all else I've researched.

Here's the basic topology:

ASA- inside- (also my WCCP ID)-

Squid proxy (3128)- w a gre interface (wccp0) redirecting to port 3129

Windows client-

Cisco Adaptive Security Appliance Software Version 8.4(2)
Squid V 3.4

CentOS 6.5


Any help is appreciated- would love to get this to work ! Dennis

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Dennis Topo Jr Thu, 03/27/2014 - 09:15
User Badges:

Did some more captures...found that my redirects were not getting decapsulated on the squid box. It was my iptables line in CentOS

Needed to use the DNAT directive as such...NOT the Redirect, as you may see in other posts.

iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j DNAT --to-destination

Blogged my set up too...for those interested:






This Discussion

Related Content